Hi,
I am indexing FreeRadius Accounting logs from /var/log/radius/radacct/
directory.
Below is an image of a sample log in Splunk:
Issues/Requests:
TimeStamp = < >
field in the log, creating two logs on Splunk instead of one (shown in a red box in the image)host=
on Splunk to map to field "Tunnel-Server-Auth-Id:0"
in the log itself, so it can be searched via hostname?Thanks! I'd love input on these and am absolutely open to reading through links/documentation anyone shares to find the answer.
En el props.conf debes de poner el formato que desees poner
Translation: In the props.conf you have to put the format that you want to put
Thanks! I do recognize where I might change it, along with transforms.conf
, but I was hoping for a more definitive reading or guide to understand my particular problem.
1- Looks like you just have to set up your props.conf
so that the timestamp is ignored, or the "Fri..." is ignored as the date by defining what the data should look like, AND you should do the event breaker as well, which I would set to something like:
^\w\w\w\s\w\w\w\s\d\d\s\d\d:
2- props.conf
and transforms.conf
is the way that I would do it, but there may be an easier way. Anyone else want to chime in here?
3- That would be the way the log is created, or you might be able to do it again in props.conf
and transforms.conf
. I don't know how to make the radius log format be different.
if you want to know more about the props.conf and transforms.conf ways, comment here to let me know and I'll add some more, or others can help out with it too. 🙂 #1 should be easy enough to do if you have access. Do you have access to the props.conf on the indexers, or are you using cloud?
Thanks cpetterborg!
Still stuck on 3) unfortunately. IF you stumble upon something, please do share!
From the FreeRadius Wiki it looks like you can't change the separated lines to a single line. Here is a web page that gives the information on what you CAN do:
So it looks like you will have to accomplish that through the transforms and props configs. But, is that what you want to do? What would that accomplish? Are you just having problems with the event and parsing, because I would think that you could still do all that and just leave the data on multiple lines.